Hughes reduces costs and enhances customer loyalty with IBM Internet Security Systems

Challenge

Meet PCI DSS audit requirements

Solution
A thorough PCI DDS–approved assessment and audit

Key Benefits
– Met PCI DDS certification requirements before deadline
– Improved customer service through enhanced transaction security
– Protected and strengthened brand perception

Providing a secure environment for retailers worldwide
Retailers today are threatened with customer identity theft by hackers and sophisticated cyber-crime attacks. Whether a retailer is providing e-commerce or simply processing credit card data electronically, security threats such as identity theft and fraud can have far-reaching financial impact, involving customers, retailers and credit card issuers.

Hughes Network Systems, LLC is the global leader in providing broadband satellite networks and services for large enterprises, governments, small businesses and consumers. Its HughesNet service offering encompasses all broadband solutions and managed services from Hughes, bridging the best of satellite and terrestrial technologies. Hughes has shipped more than 1.5 million systems to customers in more than 100 countries. Headquartered outside Washington, D.C., in Germantown, Maryland, Hughes maintains sales and support offices worldwide. Hughes is a wholly owned subsidiary of Hughes Communications, Inc. (NASDAQ: HUGH).

As a managed network service provider, Hughes securely connects the distributed enterprise, enabling customer relationship management (CRM), enterprise resource planning (ERP) and credit card processing services. Many of its customers are retailers. In 2004, a group of payment card issuers established the Payment Card Industry Data Security Standard (PCI DSS) to bolster electronic networks against customer identity theft. Credit card issuers such as Visa, MasterCard, American Express and Discover now require retailers and their service providers to comply with strict PCI DSS requirements or face serious financial penalties in the event of credit card data theft. Just as retailers must meet PCI compliance standards, so must Hughes as the managed network service provider carrying their credit card transactions.

“Hughes has long been trusted by retail customers for its security, speed, efficiency and affordability when it comes to carrying customers’ credit card data,” says Doug Medina, senior director of enterprise marketing for Hughes. “We already followed ISO-9001 standards and maintained stringent security policies, but in our case, PCI compliance requires an annual audit from a third party. That’s when we turned to IBM Internet Security Systems.”

Supporting compliance with a Qualified Security Assessor
According to PCI DSS, Hughes qualifies as a Level 1 Service Provider. This means Hughes must use a qualified third-party vendor to complete the annual PCI Report on Compliance (ROC). Only approved and certified companies and assessors are permitted to conduct third-party ROC assessments, which immediately narrowed the list of potential providers.

IBM Internet Security Systems^™ (ISS) is classified as a Qualified Security Assessor (QSA). Hughes selected IBM ISS based on the expertise of its security analysts and the content of its IBM Professional Security Services for PCI compliance. IBM ISS is a trusted security advisor to enterprises world­wide and was well positioned to work as Hughes’s advocate throughout the compliance process.

In the first step, IBM ISS performed a three-day security assessment of Hughes’ network and security architecture, working closely with Hughes’ technical resources. Hughes was impressed with the depth of experience and knowledge of the IBM ISS assessor. “Our IBM ISS assessor came to us already prepared with advice and made the entire process extremely efficient,” says Medina. “He was technically adept and security savvy so he was able to conduct a detailed, specific assessment of our systems with very little learning curve.”

Hughes’ network security standards and policies were well established, but Hughes wasn’t sure how well until the assessment was completed. During the process, the company identified a need for more formal documentation for compliance. It requested technical guidance from IBM ISS for securing transactions in the approved manner. The time from the beginning of the assessment to the submission of the ROC was less than four months for Hughes and IBM ISS. “The biggest surprise was how quickly the initial assessment, remediation and compliance report were completed,” says Medina. “We were compliant before the deadline and now that we’ve established some history, familiarity and documentation with IBM ISS, we will turn to them for future assessments as well.” This is no small feat, as the PCI deadlines come quickly and have taken many providers by surprise.

Turning PCI compliance into a customer benefit
Hughes is one of only a handful of managed network service providers to have received a Protection of Cardholder Information Data Security certification. Of more than 250 companies considered to be compliant by Visa USA’s Cardholder Information Security Program (CISP), Hughes is one of only nine companies certified for transmission of credit card information. Of those, Hughes is the largest managed network services company, with more sites under management than any other provider on the list. In addition, Hughes has a long history of providing enterprise networks to carry credit cards, dating back to the first WalMart wide area network (WAN) deployment. Today Hughes carries more than 1 billion financial transactions to seven credit authorizers each year from more than 19,000 restaurants and gas stations throughout the United States.

To be PCI compliant as a service provider, a networking company must address network operations processes and procedures as well as network architecture. Hughes has made significant investments in Network Operations Center infrastructure, remote equipment and business processes. Hughes’ system engineers and professional service experts understand the complexities of PCI DSS compliance. As a result, the company can create solutions that readily interface with existing customer equipment, making it easier to deploy PCI compliant solutions for its customers. And Hughes’ certification ensures that its WAN meets PCI standards.

Now by choosing Hughes, retailers will already have a managed network service provider that can offer a PCI-compliant WAN, virtual private network (VPN) over the Internet, or a private network configuration.

Business users must be confident that they are not just making due by employing a network alternative that merely skirts security standards. Hughes customers have confidence that they are meeting compliance guidelines. At the same time, the cost and complexity of establishing a PCI-compliant transaction architecture is not insignificant. The time required for retailers to achieve compliance on their own, compounded by the time and expense of PCI DSS audits by thirdparty security certification providers, builds a compelling case for working with service providers like Hughes.

Working with IBM to strengthen customer loyalty
Now PCI DSS compliant and with a strengthened service offering, Hughes is able to offer enhanced interface capabilities to its retail customers worldwide. IBM ISS expertise in security and PCI compliance, together with its QSA status, delivered a rapid, efficient auditing and remediation solution that ensured that Hughes would retain its respected position as a trusted service provider to its valued customers. Customers are assured that Hughes meets the best business practices of transaction processing security and that their data is protected and secure. At the same time, Hughes has strengthened the perception of its brand in a highly competitive marketplace.

For more information
To learn more about IBM Internet Security Systems Professional Security Services, contact your IBM representative or IBM Business Partner, or visit:

ibm.com/services/security